ARE YOU READY FOR WINDOWS 10? Todd Parkin & Chris Owens

ARE YOU READY FOR WINDOWS 10? Presented by: Todd Parkin & Chris Owens @kraftkennedy www.kraftkennedy.com/blog #ILTACON #ILTA172 www.linkedin.com/co...
0 downloads 3 Views 3MB Size
ARE YOU READY FOR WINDOWS 10? Presented by:

Todd Parkin & Chris Owens @kraftkennedy www.kraftkennedy.com/blog

#ILTACON #ILTA172

www.linkedin.com/company/kraft-kennedy New York | Washington DC | Texas | California

27+ Years of Experience Long Standing Commitment to Legal ILTA Platinum Sponsor/ALA Sponsor Experienced, Highly Trained & Certified Consultants

Premier Technology Partner

80 Exchange 2010/2013 Projects, 80,000+ Seats 100 Windows 7/8.1 & Office 2010/2013 Projects, 90,000+ Seats Data Center Migration Strategy and Implementation Projects Disaster Recovery/Business Continuity Planning Technology Assessments Project Management Legal Process Management Security Assessments, Digital Forensics and eDiscovery

Information Security & Governance

Enterprise Client Systems

Support Practice Group

Legal Process Managemen t

Areas of Practice Infrastructure Enterprise Systems Management Consulting

Project Management

Our Partners

Agenda

What’s new for Windows 10 in the Enterprise?

How do you I get there from here? Lessons learned from first adopters

for Enterprise

Be more

Innovative devices for your business productive

Protection against modern security threats

Managed for continuous innovation

MICROSOFT’S WINDOWS 10 VISION

One converged Windows platform

NEW CHALLENGES REQUIRE A NEW PLATFORM Identity protection

Data protection

Threat resistance

Device security

Windows 10 Security Approach

Identity Protection

Information Protection

Device Protection

Identity Protection

Microsoft Passport Windows Hello Hyper-V “Virtual Secure Mode (VSM)”

Identity Protection

TYPICAL MULTI-FACTOR AUTHENTICATION IMPLEMENTATIONS High-value assets

LIMITED USE OF MFA CREATES WEAK LINKS

Most network resources

UN/Password

User

Device-based multi-factor USER CREDENTIAL

Your device is one of the factors

An asymmetrical key pair Provisioned via PKI or created locally via Windows 10

Secured by hardware

Identity Protection

User proves identity

MICROSOFT PASSPORT A new approach

“Trust my unique key” IDP Active Directory Azure AD Google Facebook Microsoft Account Intranet resources

“We trust tokens from IDP"

Windows10

“Here is your authentication token”

Identity Protection

Two ways to access your Passport PIN

Simplest implementation option Works on existing devices User familiarity

Biometrics

Enables multi-factor Ease of use Impossible to forget

Identity Protection

Hello Chris WINDOWS HELLO

Fingerprint

Iris

Facial

FIDO ALLIANCE Board level members

DEMO Microsoft Passport and Windows Hello

Information Protection

DATA LEAKAGE

87%

58%

…of senior managers admit to regularly uploading work files to a personal email or cloud account1

Have accidentally sent sensitive information to the wrong person1

1Stroz

Friedberg, “On The Pulse: Information Security In American Business,” 2013 Secure Now, “A look at the cost of healthcare data breaches,” Art Gross, March 30, 2012

2HIPPA

$240 PER RECORD

Average per record cost of a data breach across all industries2

INFORMATION PROTECTION NEEDS

DEVICE PROTECTION BitLocker Protect system and enhancements in data when device is Windows 8.1 lost or stolen InstantGo 3rd party adoption

DATA SEPARATION

LEAK PROTECTION

SHARING PROTECTION

Containment

Prevent unauthorized apps from accessing data

Protect data when shared with others, or shared outside of organizational devices and control

BYOD separation

Device Encryption is automatic encryption powered by BitLocker

DATA-AT-REST PROTECTION Device Encryption and BitLocker

BitLocker is provisioned by IT and includes management capability Easiest deployment, leading security, reliability, and performance Single sign-on for modern devices and configurable on legacy hardware Enterprise grade management (MBAM) and compliance (FIPS) TPM to standard equipment on all Windows devices in 2015

INFORMATION PROTECTION NEEDS

DEVICE PROTECTION BitLocker Protect system and enhancements in data when device is Windows 8.1 lost or stolen InstantGo 3rd party adoption

DATA SEPARATION Containment

BYOD separation

LEAK PROTECTION

SHARING PROTECTION

Protects data at rest, and wherever it rests or may roam to

INTRODUCING Enterprise Data Protection A DIFFERENT APPROACH

Seamless integration into the platform, No mode switching and use any app Corporate vs personal data identifiable wherever it rests on the device

INFORMATION PROTECTION NEEDS

DEVICE PROTECTION

DATA SEPARATION

LEAK PROTECTION

Containment

Prevent unauthorized apps from accessing data

BYOD separation

SHARING PROTECTION

Protects data at rest, and wherever it rests or may roam to

INTRODUCING Enterprise Data Protection A DIFFERENT APPROACH

Seamless integration into the platform, No mode switching and use any app

Corporate vs personal data identifiable wherever it rests on the device Prevents unauthorized apps from accessing business data Copy and paste protection and remote wipe data on demand Common experience across all Windows devices with cross platform support

INFORMATION PROTECTION NEEDS

DEVICE PROTECTION

DATA SEPARATION

LEAK PROTECTION

SHARING PROTECTION

Prevent unauthorized apps from accessing data

Protect data when shared with others, or shared outside of organizational devices and control

SHARING PROTECTION Rights Management Services

Protect all file types, everywhere they go, cloud, email, BYOD, … Support for all commonly used devices and systems – Windows, OSX, iOS, Android Can be automatically applied to mail, OneDrive Pro, etc.

Adding persistent and nonremovable protection to data

Significant improvements over Windows 7

Support for B2B and B2B via Azure AD Support for on premise and cloud based scenarios (e.g.: Office 365) Seamless easy to provision and support for FIPS 140-2 regulation and compliance

DEMO Enterprise Data Protection

Securing the device

Secure Boot

Device Guard

Device Health

Windows Defender

Windows Update for Business

Device protection

TWO PATHS TO CHOOSE FROM Device Guard

Traditional Approach

A new approach for Windows desktop

The way things have always been

Requires change in process for apps

Requires additional software to manage

Offers incredible protection

Carries increased risk

Windows desktop can be configured to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone)

DEVICE GUARD Getting Apps into the Circle of Trust

Supports all apps including Universal and Desktop (Win32). Apps must be specially signed using the Microsoft signing service. No additional modification is required. Signing service will be made available to OEM’s, IHV, ISV’s, and Enterprises. Windows desktop can be configured to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone)

Windows Deployment

WINDOWS 10 WORKS WITH EXISTING MS INFRASTRUCTURE Product System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager

System Center Configuration Manager 2007 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 Microsoft Deployment Toolkit 2013 Update 1

Supports Windows 10 Management

Supports Windows 10 Deployment

DEPLOYMENT CHOICES •

Wipe-and-Load

• • • • • •

Traditional process Capture data and settings Deploy (custom) OS image Inject drivers Install apps Restore data and settings



Still an option for all scenarios

In-Place

Provisioning

Let Windows do the work • Preserve all data, settings, apps, drivers • Install (standard) OS image • Restore everything

Configure new devices • Transform into an Enterprise device • Remove extra items, add organizational apps and config

Recommended for existing devices (Windows 7/8/8.1)

New capability for new devices

App, web and device compatibility

Managed for Continuous Innovation

SET UP NEW DEVICES RIGHT OUT OF THE BOX

Use off-the-shelf hardware

Retail or channel devices Configure with a single file

Apply a provisioning package

Email the file Simple workflow Device is ready for productive use

MANAGEMENT CHOICES Identity

Management

Updates

Infrastructure

Ownership

Active Directory

Group Policy

Windows Update

On-premises

Corporate-owned

Azure Active Directory

System Center Configuration Manager

Windows Update for Business

In the cloud

CYOD

3rd party PC management

Windows Server Update Services (WSUS)

Intune 3rd party MDM

BYOD

Intune 3rd party MDM

Organizations may mix and match, depending on their specific scenario

Managed for Continuous Innovation

PREPARING IMAGING PROCESSES FOR WINDOWS 10

Market Driven Quality: External and Internal Users

Engineering Builds

10’s of thousands

Broad Microsoft Internal Validation

Several Million

Windows Insider Preview Branch

Hundreds of millions

Over 1 billion Windows users

Current Branch

Current Branch for Business

Contoso Internal Ring 1

Contoso Internal Ring 2

Contoso Internal Ring 3

Contoso Internal Ring 4

Time

Device protection

WINDOWS MANAGEMENT Server Software Windows Server

Windows Client

Active Directory Group Policy Windows Server Update Services (WSUS)

 Windows Management Instrumentation (WMI)  Windows Remote Management (WinRM)  Windows Update  Group Policy Client  Mobile Device Management (MDM) Agent  PowerShell  AppLocker

Cloud Services

Azure Active Directory Azure RMS Microsoft Intune Windows Store

System Center Configuration Manager Microsoft Desktop Optimization Pack (MDOP)

EXTENDING WITH WINDOWS 10 – HEAT MAP Deployment

Management

Security

Identity

Provisioning

CM vNext MDM

Virtualization-based security Device Guard Enterprise Data Protection

Microsoft Passport Windows Hello

New Windows ADK WICD MDM service

New feature management and configuration

Secure Boot Trusted Boot

Azure AD Azure AD Connect PKI Schema/DCs

Device UEFI 2.3.1 or later TPM 1.2 or later Virtualization Extensions Biometric Reader

Internet Browsing

HTML4, ES3, CSS2

Modern Web

CSS2.1 HTML5, SVG, ES5/6, CSS3

HTML4, ES3, CSS2

1995

2015 1 2

3

4

4.x

5

5.5

6

7

8

9

10

11

MICROSOFT EDGE IS… • Built for Windows 10 • Built on the Universal Windows Platform • Updated frequently, along with Windows 10 • Manageable through Group Policy, Mobile Device Management

• Ready for the future • Free from legacy Internet Explorer extensibility points • Built on top of modern security protections • Able to launch Internet Explorer 11 when needed

DEMO • Start Menu • Notifications • Cortana • Questions • Reminders • Taskview • Edge Browser

Getting to Windows 10 Windows 8.1 (x64) / Office 2013 • • • •

Tweak existing deployment process Minimal application updates required Drivers must be updated In-place upgrade worth testing

Windows 7 (x64) / Office 2013 • • • •

Tweak existing deployment process Minimal application updates required Drivers must be updated In-place upgrade worth testing

Windows 7 or 8.1 (x86) / Office 2013 • Full images will need to be rebuilt • Many applications will require changes • Drivers must be completely regenerated

Windows 7 / Office 2010 or 2007 • Full images will need to be rebuilt • All applications will require changes • Significant work required to certify all changes

Lessons Learned Application Updates Group Policy review Driver Updates Waiting for Microsoft tools Microsoft Deployment Toolkit ADMX SCCM Support ADK RSAT

Lessons Learned – Part 2 In-place upgrade option Remote imaging process DirectAccess benefits Default user settings

Enterprise or Professional? Professional Windows Hello & Passport

Enterprise Data Protection DeviceGuard Cortana Edge browser Bitlocker DirectAccess Current Branch for Business

Enterprise

CONTACT INFORMATION Todd Parkin, Practice Manager [email protected] 212-692-5655 Chris Owens, Practice Leader [email protected] 713-221-5311 Thank you for coming!